Cross site tracking attack in Apache - Webdigity webmaster forums

22, August 2008	Cross site tracking attack in Apache - webmaster forum
	This forum shares its ad revenue with its members!
Navigation Webdigity Services Pagerank Monitor Whois Tool Web Design Gallery Webmaster Forums Webmaster Directory Tutorials Database Webmaster Forums WebDigity Community HumanWorks network new... Clickbank Contextual S... Forum Contests Forum Lounge New Member Introductions Tech News Google Forum User Forums aStatSpam forum Computers 3rd-Party Scripting The 100 Lists Website ... PixelThings Smart Publisher Forums Talk Design and Layout General webmaster disc... Graphics & Multimedia Adobe Photoshop Macromedia Flash & Act... Web Page Design HTML & XHTML CSS Accesibility issues Website & Graphic Revi... Web Development PhP PHP classes @finalwebs... Php User Class JavaScript Databases MySQL Security Miscellaneous Languages ASP & .NET Java & JSP Web hosting talk Hosting companies Domain names Configuring your server Apache web server Monetizing your site General Business CPC programs Adsense Chitika eMiniMalls CPM programs Affiliate programs & o... Web site promotion Promotion techniques Search Engine Optimiza... Google SEO Promoting & building a... SMF moding & promoting Marketplace Advertise your services Sell your site Sell a domain name Request services Hire people Link trading requests [ Home \| Help \| Search \| Forum's Shop \| Archive \| Login \| Register \| Webmaster Directory ]

Webdigity Webmaster Forums > Web Development > Security
Topic: Cross site tracking attack in Apache

« previous next »

Pages: [1]

Author

Topic: Cross site tracking attack in Apache (Read 1392 times)

I am a metal monkey!
Administrator
Community Supporter ?
Jedai Sword Master

Gender:

Posts: 8020
41077 credits
Members referred : 3

« on: Mar 17, 2006, 01:20:00 PM »

This vulnerability is actually a problem that IIS also has, but the solution I will provide is for Apache only.

The problem is that a user can use the HTTP TRACK / TRACE method to get session information including cookies!

To prevent the attackers use this in your httpd.conf or .htaccess :

Code:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

Trial and Error my two best teachers Cool

Join us @ facebook

Last blog : MIA - Where Nick and Tim

OMG!I am geek

Gender:

Posts: 56
374 credits
Members referred : 0

« Reply #1 on: Mar 17, 2006, 01:54:29 PM »

Sounds like a serious vulnerability.

Thanks for sharing. I will add it to my .htaccess file.

Just another rainy day

Posts: 1
6 credits
Members referred : 0

« Reply #2 on: May 03, 2007, 03:00:41 PM »

I am using Apache 2.0.55 version in Solaris 8 platform. But due to "RewriteEngine On" in apache module , there was a Apache - Mod_Rewrite - Off-By-One Buffer Overflow Issue. So i upgraded to Apache 2.0.59. Now i also need to disable Http Trace method in the apache version. But if i change Rewrite Off to Rewrite On in apache httpd.config file to disable Http Trace, it will again introduce Apache - Mod_Rewrite - Off-By-One Buffer Overflow Issue. Thus can you provide any other alternative solution for Http Trace issue.

I am a metal monkey!
Administrator
Community Supporter ?
Jedai Sword Master

Gender:

Posts: 8020
41077 credits
Members referred : 3

« Reply #3 on: May 03, 2007, 03:50:42 PM »

I am afraid this can't be done without modifying the source code of Apache....

So I guess you will have to leave one of these vulnerabilities open. Or maybe check how this overflow is running in Solaris. To use the HTTP_TRACE mod_rewrite rule, you need to apply it in your httpd.conf file. Maybe the mod_rewrite overflow problem is happening for certain rules, or in general happens under some circumstances.

Trial and Error my two best teachers Cool

Join us @ facebook

Last blog : MIA - Where Nick and Tim

Trackback URI for this entry : http://www.webdigity.com/trackback.php?topic=1846

Bookmark this thread : Digg Del.icio.us Dzone more....

Topic sponsors:
Get a permanent link here for $1.99!

Pages: [1]

Webdigity Webmaster Forums > Web Development > Security
Topic: Cross site tracking attack in Apache

« previous next »

Jump to:

User Area
Welcome, Guest. Please login or register. Did you miss your activation email? Aug 22, 2008, 01:37:56 AM Login with username, password and session length

Donate to our community, and get a permanent link back to your site!

Forum Statistics
Total Posts: 36.084 Total Topics: 7.439 Total Members: 3.807 Tutorials : 56 Resources : 143 Designs : 220 Latest Member: marthawelch 38 Guests, 2 Users online : Yahoo crawler, Googlebot 16 users online today: TryUsOut, GiorgosK, YMC, samiotis, davidhumans, phplemon, SEO Italy, estMate, shilpamg, Stepho, marthawelch, Webnauts, Olaf, designer, wallpaperbabby, Promotif

Recent topics
BlogQuick 1.0 Released - Pa... Re: How A Page is Designed?... Hello....I am Shilpam... Re: What are your favorite ... Re: What do you do for livi... Re: Your Favorite Car? ... Your favorite City What are the limits for ded...

HumanWorks Network
Technology news Webmaster articles Sublime web directory RSS Feed directory and viewer

Readers

Web Design Gallery · Whois Lookup · Pagerank · Tag Browsing · Lo-fi version · Syndication · Webmaster forum history · Advertise
Developed by HumanWorks © 2005 - 2008 Webdigity webmaster community · sublime directory
Webdigity Webmaster Forums | Powered by SMF 1.0.12. © 2001-2005, Lewis Media. All Rights Reserved.

Cross site tracking attack in Apache - webmaster forum